Internal audit

provide assurance that the organisation's financial and operational controls are operating effectively to manage corruption risks, and

assist management in improving business performance.

Internal auditors review and evaluate the financial and operational controls put in place by management, including those which prevent and detect corruption. Internal auditors identify weaknesses or failures to implement these controls and make recommendations to improve them.

Auditors also have general expertise in risk management and are therefore in a position to assist agencies with their corruption risk management process in a number of ways, for example by:

providing training and advice to managers about risk management

facilitating or coordinating the corruption risk management process in the agency

assisting management with the design and implementation of the agency's internal controls

monitoring how well managers control risks, and

providing advice about the adequacy of risk treatment strategies.

This is not a role that is undertaken by internal audit in all public sector agencies. However, internal audit is moving beyond its traditional role of examining the effectiveness of agency controls. KPMG notes that:

The modern organisation's internal audit function is a key participant in antifraud activities, supporting management's approach to preventing, detecting, and responding to fraud and misconduct. Such responsibilities represent a change from the more traditional role of internal audit.

The extent of the role currently played by internal audit in an agency's corruption risk management process will vary. Some agencies may have little experience with risk management generally and may, consequently, give internal audit a key role in the corruption risk management process. Other agencies may be very experienced in risk management or even have a dedicated risk management officer or unit. In these agencies, internal audit's role may be more focused on the effectiveness of the corruption risk treatment strategies or processes rather than on risk identification.

Case study

A sales administrator employed by the Roads and Traffic Authority (RTA) took advantage of RTA procedures to solicit and receive payments from real estate agents retained by the RTA to sell land. In exchange for these payments, he recommended the continued use of the agents' services. He was found to have engaged in this corrupt conduct from 1989 to 1994.

The ICAC found that the RTA's systems and procedures had provided the sales administrator with the opportunity to engage in corrupt conduct. In early 1991, the RTA's internal audit branch had conducted a detailed property services fraud limitation review. It had identified the risk of corrupt payments of the kind established in this inquiry and suggested a remedy. Although the remedy suggested was not accepted by RTA management, it acknowledged the existence of the risk and suggested a different remedy. However, ultimately the RTA did not implement either remedy. The sales administrator's corrupt activity commenced around 1989 and continued until the ICAC's investigation in 1994. Thanks to its audit branch, the RTA was aware of the risk that a staff member could behave just as this sales administrator did. If it had implemented measures to address this risk, it is possible that this staff member's corrupt conduct might have been discovered much sooner.